[OpenID] About Facebook, MySpace and OpenID

Andrew Arnott andrewarnott at gmail.com
Sat Apr 4 03:08:06 UTC 2009

Here's my two cents on AX if_available vs. required:

As has already been said, Google is the only OP I've heard of that totally
ignores "if_available".  Granted, it makes the user experience look simpler
while the user is at Google, but then the user goes to the RP and has to
enter it anyway.  Of course, if the RP was to demand the email address of
the user at that point, then perhaps they really should have used 'required'

'required' suggests that if it isn't there, then authentication fails.  But
some OPs don't support a given attribute type URI, and this would break
authentication... that's bad.  So if we admit the OP might ignore the
required attribute, then we can expect the RP will demand the attribute of
the user when auth completes.

'if_available' suggests if the OP happens to know it, then the RP wants it.
 This isn't a 'if_user_opts_in' parameter.  Which makes it basically the
same as 'required', except the OP can feel less badly about not supplying

Personally, I'd like checkboxes on each attribute during login.  InfoCard is
one model that considered required to be absolutely required.  A Card cannot
be used to login unless it has all the required attributes.  In addition,
the optional attributes can collectively be turned on or off.  Personally, I
miss the flexibility of saying, "well yes, I want to supply this optional
attribute, but not this one".  But I'll submit on this one since most people
here feel that most users don't want that flexibility.

I agree that RPs and OPs need a better contract of the semantics of required
vs if_available.  All the RPs are upgrading their email requests to required
so that they work with Google.  Apparently they really wanted email and they
were getting it until now.  Is 'required' the right one to use in the first
place?  Perhaps.  But we should decide this by spec rather than by one
company's implementation.  If AX 2.0 eliminates "if_available" because it
really doesn't make sense to have two levels of demand, I won't care.  But
let's not let that happen accidentally.

Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire

On Fri, Apr 3, 2009 at 12:50 PM, John Bradley <john.bradley at wingaa.com>wrote:

> Hi Breno,
> I will grant you that the choice google has made to deny returning optional
> claims to the RP without a user dialog makes the UI simpler.
> The problem for RPs is that they may still be willing to accept the login
> without the email and collect or verify the email in some other manner.
> As other AX claims start getting used this becomes more of an issue.
> From a RP point of view OP's dealing with AX requests in a consistent way
> is a requirement.
> They now have no way of asking for optional claims for form
> filling during account creation etc if OPs take your approach.
> If the issue is a reluctance to give the user fine grained control over the
> AX attributes returned, I could live with a compromise.
> The "This site is requesting access to additional information listed
> below"  is missing some urgency in my opinion.
> It needs to be clear that the information will be returned to the RP.
> At the moment you have two options "Continue Signin" and "Cancel".
> Changing that to "Signin with all requested information" , "Signin with
> only required information" , and "Cancel"
> The optional and required elements above need to be differentiated in some
> way.
> This would reduce the number of check boxes and maintain the spirit of AX
> optional vs required claims.
> The oAuth + openID solution you are working on is good but perhaps overkill
> for smaller RPs.
> I would like to find a way that AX can work with a consistent claim set in
> a predictable way.
> By the way we don't have the Google OP listed as a OSIS participant,  we
> have Blogger but not the new OP.
> Let me know if you want to participate in I5 this year.
> I am happy to work on AX issues with you, though UX is not my area of
> expertise as you know:)
> Regards
> John Bradley
> On 3-Apr-09, at 11:31 AM, Breno de Medeiros wrote:
>> <Snip>
>> What OPs need to do:
>> Vidoop:  Nothing works now
>> MyOpenID:  Get with the program and support the standard claim URI.,
>> otherwise it would work now.
>> Google:  Stop ignoring AX requests that are not marked required.   The
>> word doesn't revolve around you.
> Well, should the world revolve around the users? They keep telling anyone
> who would listen that they don't like checkboxes.  Checkboxes are also
> terrible for accessibility.
> Suggestions appreciated.
>> MySpace: Support AX please
>> AOL:  Support openID 2.0 + AX
>> Yahoo:  Support AX
>> OP's have had the specs and tools to do this for a long time now.  It is
>> not like we need to invent something new.
>> Lets get what we have working well,  please.
>> Regards
>> John Bradley
>> T-8) / PDT(GMT-7)
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090403/0230f17d/attachment-0005.htm>

More information about the general mailing list